1. Field of the Invention
The present invention generally relates to computer systems. More particularly, the present invention provides a method, system, and computer program product for quickly and automatically blocking a plurality of computer systems in response to detection of a widespread vulnerability or software infection.
2. Related Art
When one or more computer systems on a network are detected to have a vulnerability (e.g., lack of a required patch) or an active software infection (e.g., virus, worm, etc.), they must be isolated from the network to prevent further spread of infections. To isolate the computer systems, a common process is to manually block each computer system at its layer-2 (Media Access Control (MAC)) address, on a core switch in the network. After being blocked, data related to the computer systems is collected and stored in a database for later use in determining the problem, as well as for administrative use for unblocking the computer systems after the problem has been addressed. This is a very time-consuming process when performed manually, often taking several minutes per computer system. Unfortunately, in larger networks containing, for example, hundreds of computer systems, a software infection may spread at a rate faster than the computer systems can be manually shut down. Other solutions exist which perform blocking on a layer-3 Internet Protocol (IP) address level, but none of these solutions operate on a layer-2 MAC address.